Security
Defaults that hold up under audit.
WAF, brute-force defense, automatic security headers, SSH-CA host certificates, encrypted off-site backups, full audit log. Customers can request the threat model under NDA through the trust center.
What's on by default
You don't have to enable anything to get a hardened site.
Edge WAF
OWASP-aligned ruleset at the edge. Bot scoring. Geo-blocking for sites that need it.
Brute-force defense
/wp-login, /admin, /xmlrpc — rate-limited and challenged by default. Per-IP and per-account.
Security headers
HSTS (preload-eligible), X-Frame-Options, CSP baseline, Referrer-Policy, Permissions-Policy. All pre-set.
SSH-CA host certificates
Short-lived SSH certs from a central CA. No long-lived keys floating around. Revocable in seconds.
Per-site Linux user + cgroups v2
Every site runs under its own dedicated Linux user inside a cgroups v2 slice. A compromised plugin on site A cannot touch site B's filesystem, database, or CPU budget.
Touch ID step-up on privileged actions
Reveal a database password, delete a site, promote a domain — every high-impact action fires a fresh 2FA challenge. Phishing-resistant passkeys end the password-reset hairball.
Full audit log
Every login, every key, every deploy, every cert, every promote, every secret reveal. Streamed to your SIEM on Enterprise.
DPA on request
GDPR-clean residency. Standard Contractual Clauses where needed. Sub-processor list public.
Compliance
What we have, and what's in flight.
GDPRDPA on requestSOC 2 Type I · Q3 2026SOC 2 Type II · Q1 2027ISO 27001 · Q4 2026PCI-DSS SAQ-A · Q3 2026
For the up-to-date compliance summary or to request our threat model under NDA, visit cubitrace.com/trust. Security disclosures go to [email protected] — we ack within 24 hours, fix within our published SLAs.
Disclose responsibly
Found something? We pay bounties.
[email protected] · PGP key available on request · in-scope assets and rewards published.